ShoDhen Privacy Policy
Effective date: 2026-05-21 · Version: 1.1
1. Who we are
This Privacy Policy describes the data practices of Common Nexus LLC, an Oregon limited liability company doing business as ShoDhen ("ShoDhen," "we," "us," "our"). Any reference to data collected, used, processed, stored, or transferred by ShoDhen means data handled by Common Nexus LLC. The data controller of record is Common Nexus LLC.
ShoDhen™ is an assumed business name of Common Nexus LLC. References to "ShoDhen" in this Policy include ShoDhen and its tier sub-brands ShoDhen Gnosis, ShoDhen Counsel, and ShoDhen Context.
2. Scope
This Policy is the single privacy policy governing all ShoDhen products and services, including:
- ShoDhen Gnosis — subscription intelligence briefings for individual subscribers.
- ShoDhen Counsel — subscription intelligence and analysis for business owners.
- ShoDhen Context — programmatic AI-agent access to ShoDhen analysis via the x402 machine-to-machine protocol.
It covers the shodhen.com website, the ShoDhen application, all subscription products, and the ShoDhen Context API. It applies whether you reach us through a web browser, an email subscription, an automated agent, or another channel we operate.
3. Information we collect
We collect the information you give us, the information we generate while providing the services, and a limited amount of information about the device and connection you use.
Account and signup information. When you create an account we collect your name, your email address, and the tier of service you select. We don't use passwords. Depending on how you choose to sign in, we store an authentication credential: a short-lived email magic-link token (stored only as a SHA-256 hash that expires ten minutes after issue) or, if you set one up, a passkey. If you enable two-factor authentication we also store your authenticator (TOTP) secret and one-time recovery codes. If you sign up at a live event, we may collect this same information on paper and enter it into our systems within twenty-four hours.
Onboarding profile. During onboarding you give us the inputs that shape your briefings — the industries, target companies, and role keywords you care about, and optionally a LinkedIn URL. We use these only to curate and produce briefings for you.
Sign-in metadata. We retain sign-in metadata (timestamp, the region inferred from your IP address, device class, and success/failure) for thirty days for security review, then delete it.
Information we generate for you. As we deliver the service we create a per-account list of curated sources we propose for your briefings and the briefings themselves. We keep these to provide and improve your service.
Payment information. Card payments are handled by our payment processor, Stripe. We do not see or store your full card number. Stripe returns to us a token that represents your saved payment method, the last four digits of the card, the card brand, the expiration date, and the billing ZIP or postal code you provide. Charge history, refund history, and the country of issue are also retained for our records.
Product-use telemetry. When you use the ShoDhen products we record the actions you take: which briefings you open, which sections you read, which links you click, which features you enable, and which inputs you submit. We use this telemetry to operate, debug, secure, and improve the services.
Support communications. When you contact us — by email, by support form, or by any other channel we publish — we keep a record of the message you sent, the message we sent back, and any attachments either side shared. We use this record to answer you, to follow up if needed, and to improve our support.
ShoDhen Context API inputs and outputs. When an agent submits a request to the ShoDhen Context API, we log the request, the response we returned, the requesting wallet address, the x402 settlement reference, and timing and size metadata. We use this log to deliver service, to bill correctly, to debug, and to detect abuse.
Cookies and similar technologies. When you visit shodhen.com we set a single session cookie that keeps you signed in; our hosting provider, Cloudflare, may set cookies for security and performance. See §7 below.
Information we receive from third parties. Our payment processor reports payment events back to us (successful charges, failed charges, disputes, refunds). Our email delivery service reports delivery events back to us (delivered, opened, bounced). Hosting and infrastructure vendors generate operational logs.
We do not buy personal information about you from data brokers.
4. How we use information
We use the information we collect for these purposes only:
- To deliver the services you've signed up for — render briefings, run the application, respond to API calls, send transactional email.
- To process payments — pass your card information to Stripe; reconcile charges, refunds, and disputes.
- To communicate with you — about your account, about service changes, about billing, in response to support requests, and (if you've opted in) for marketing.
- To improve the services — measure how features perform, debug issues, and evaluate quality on aggregated and anonymized data.
- To keep the services safe — detect fraud, detect abuse, secure accounts, investigate violations of our Terms.
- To comply with law — respond to lawful legal process, enforce our agreements, defend ourselves in disputes, meet tax and audit obligations.
We do not use your information for purposes beyond these without telling you first.
5. How we share information
We share your information in the limited circumstances below. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
Service providers. We share information with vendors that help us run the services. Each vendor receives only the information they need to do their job, and each is bound by a contract that restricts how they can use it. Our principal vendors are:
- Cloudflare — hosting, database (D1), object storage (R2), and bot/abuse protection (Turnstile).
- Stripe — payment processing and billing.
- Microsoft Graph — transactional email delivery.
- Anthropic PBC — large-language-model inference for briefing generation.
- Exa.ai — signal and source data for briefings.
We update this list as our vendors change. The current list is maintained on this page.
Legal process and safety. We may disclose information when we have a good-faith belief that disclosure is required by law, by a court order, or by a subpoena; when disclosure is necessary to protect our rights, our property, or our customers; or when disclosure is necessary to investigate or stop suspected fraud, abuse, or violations of our Terms.
Business transfers. If we sell, merge, or transfer all or part of our business, your information may be part of the transferred assets. We will tell you before your information becomes subject to a different privacy policy.
With your consent. With your consent we may share information beyond these categories. You can withdraw consent at any time.
6. AI and machine learning
ShoDhen Context produces AI-generated analysis. ShoDhen Gnosis and ShoDhen Counsel briefings also incorporate AI-generated content as one input among others.
When you submit material to ShoDhen Context, your input is processed by one or more AI model providers we contract with. Those providers process your input under contracts that restrict their use to delivering the requested response and (depending on the provider) operating their service. We pass your input to those providers as part of delivering the service.
We may use de-identified, aggregated, and anonymized data derived from your inputs and outputs to evaluate and improve the service. We do not use the contents of your Context inputs and outputs to train third-party foundation models without your explicit consent.
You should treat any material you submit to a ShoDhen AI feature with the same care you would treat any material you send to a third-party AI service: do not submit secrets, credentials, regulated personal information, or anything you would not be comfortable seeing in a vendor's log.
7. Cookies and tracking
We use cookies sparingly:
- A single first-party session cookie that keeps you signed in.
- Our hosting provider, Cloudflare, may set its own cookies to keep the site secure and performant (Cloudflare is listed in the Subprocessors in §5).
We do not set analytics cookies, we do not use third-party advertising cookies, and we do not participate in cross-site advertising networks. Because we use only strictly-necessary cookies, we don't show a cookie consent banner — there's nothing non-essential to consent to.
Most browsers accept cookies automatically, but you can change your browser settings to refuse them. If you refuse the strictly-necessary session cookie, you won't be able to stay signed in.
We respond to the Global Privacy Control (GPC) signal as a request to opt out of any sale or share of personal information for cross-context behavioral advertising — though we do not sell or share your information for that purpose in any case.
8. Data retention
We keep your information only as long as we need it for the purposes described in §4, or as long as the law requires us to keep it.
- Account and profile records. Kept while your subscription is active, plus ninety days after closure to allow for reactivation. After that, deletion cascades through all per-account tables and is irreversible — except for the records below that we keep for legal reasons.
- Payment and billing records. Seven years, to meet tax and audit obligations.
- Sign-in metadata. Thirty days, then deleted.
- Support communications. Three years from the last interaction.
- Product telemetry. Aggregated data indefinitely; identifiable records pruned within twelve months.
- Marketing preferences and opt-out records. Kept for as long as we need them to honor your choices.
- ShoDhen Context API logs. Identifiable request and response records retained for thirteen months for billing reconciliation and abuse investigation, then de-identified.
When you close your account we delete or anonymize information that we are not required to retain for legal, tax, audit, or fraud-prevention reasons. After deletion we keep only anonymized aggregate data and the legally-required records listed above.
9. Your rights
You have rights over the information we hold about you. The specific rights you have depend on where you live.
Everyone. You can ask us what information we hold about you, ask us to correct it, ask us to delete it, and ask us to send you a copy in a portable format. You can also close your account at any time.
Two of these are self-service from your Account Privacy page (sign-in required):
- Access / portability. Download a JSON export of all the data we hold about you.
- Erasure. Request account deletion. Deletion cascades through all per-account tables and is irreversible.
For correction, or to exercise any right by email, contact privacy@shodhen.com.
California residents. Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, you have the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of any sale or share of it for cross-context behavioral advertising (we do not sell or share for that purpose), the right to limit use of sensitive personal information, and the right not to be retaliated against for exercising these rights. You can exercise these rights by emailing privacy@shodhen.com. We will verify your identity before responding.
Oregon residents. Under the Oregon Consumer Privacy Act, Oregon residents have the right to confirm whether we process their personal data, to access and obtain a copy of that data, to correct inaccuracies, to delete personal data, to opt out of targeted advertising, sale, and certain profiling decisions, and to appeal a denial. You can exercise these rights by emailing privacy@shodhen.com.
EU and UK residents. Under the General Data Protection Regulation (GDPR) and the UK GDPR, you have the rights of access, rectification, erasure, restriction, data portability, and objection. You also have the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are contract (delivery of the services you've signed up for), legitimate interest (operating, improving, and securing the services), consent (where we ask for it), and legal obligation (tax, audit, lawful process).
How to exercise your rights. Email privacy@shodhen.com with your account email and the right you want to exercise. We will respond within the timeline the applicable law requires, and within forty-five days in any case.
10. Security
We protect your information with reasonable administrative, technical, and physical safeguards. These include encryption in transit, access controls on our internal systems, vendor-vetting before we onboard a service provider, and regular review of our practices.
No system is perfectly secure. If we ever experience a breach that affects your information, we will notify you as required by law and tell you what we know about what happened and what you can do.
You also play a role: keep access to your email account secure (that's how we sign you in), protect any passkey you've set up, never share sign-in links or recovery codes, and tell us right away if you think your account has been compromised.
11. Children's policy
The ShoDhen services are not directed to children and are not intended for users under eighteen years of age. We do not knowingly collect personal information from anyone under eighteen. If you believe a child has provided us information, please email privacy@shodhen.com and we will delete it.
12. International transfers
We are based in the United States and the services are operated from the United States. If you use the services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States. United States data-protection law may differ from the law of the country you are in.
For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable.
13. Changes to this Policy
We may update this Policy from time to time. When we make a material change we will post the updated Policy at shodhen.com/privacy, update the effective date at the top, and (for material changes) notify you by email or through the product before the change takes effect. Continued use of the services after a change means you accept the updated Policy.
Older versions are archived and remain accessible on request.
14. How to contact us
For privacy questions, requests, or complaints, contact us at:
Common Nexus LLC dba ShoDhen
Attn: Privacy
9620 NE Tanasbourne Dr, Suite 300, Hillsboro, OR 97124
Email: privacy@shodhen.com
General support: support@shodhen.com
Legal notices: legal@shodhen.com